Datomic Knowledgebase - Recent questions tagged h2

Possibly security issue with the dev H2 storage?

Wed, 13 Mar 2024 21:58:26 +0000

While trying to understand more about the behaviour of Datomic dev (mainly from a security/encryption point of view), I attempted to connect to datomic.mv.db from an instance of the H2 console. I accidentally tried to log in as "admin" with a blank password and was surprised when I connected successfully. Connecting as "admin" with any password fails, so it seems explicitly to be blank. As far as I can tell I only have public schema access and can't see any transacted data, but I am able to run SQL queries in the console.

Clearly a dev transactor isn't intended to be high security, but admin with a blank password seems risky even for a dev environment. In most SQL environments I work with, the sa/admin account is just disabled if not used. Am I missing something?

As an aside, does the dev transactor use H2's AES encryption or is the resulting data file unencrypted?

Advice on CVEs of h2 version 1.3.171

Tue, 05 Apr 2022 16:21:32 +0000

Using com.datomic/datomic-pro version "1.0.6362" brings in a transitive dependency on com.h2database/h2 version "1.3.171" (on-prem).

The latter suffers from various CVEs:

(c.f. mvnrepository.com/artifact/com.h2database/h2/1.3.171

Is a Datomic upgrade planned to resolve this?
If not and in the meantime, can you give any advice on how to deal with this? In particular:
Can you give detailed advice on whether these vulnerabilities actually do or do not constitute a security risk?
3.1 Some of the CVEs mention h2 console as part of an attack vector, and I have heard this would not apply to Datomic. However, I have not found official information on this. Moreover, if I understood correctly, there are other attack vectors. Please advise.
3.2 The first linked CVE is a SQLXML XXE. It seems like this would not apply as long as getSQLXML is not called, but this is just my impression and I do not know about usage in Datomic. Please advise.
Do you have any advice on overriding the h2 dependency with an h2 version not suffering from these CVEs, say version "2.1.210"? As this a major upgrade, I expect problems. In particular, I expect migrating existing h2 databases to be problematic.

Thank you very much for your assistance.

Remove com.h2database/h2 from classpath

Tue, 01 Feb 2022 15:36:23 +0000

When running Datomic on the Postgres storage, we wanted to exclude H2 from the Peer classpath, but this turns out not to be possible.

With the following deps.edn

{:deps      {com.datomic/datomic-pro   {:mvn/version "1.0.6362"
                                        :exclusions  [com.h2database/h2]}
             org.postgresql/postgresql {:mvn/version "42.3.1"}}
 :mvn/repos {"my.datomic.com" {:url "https://my.datomic.com/repo"}}}

trying to create the database leads to

(d/create-database "datomic:sql://test?jdbc:postgresql://localhost:5432/datomic?user=datomic")
Execution error (ClassNotFoundException) at java.net.URLClassLoader/findClass (URLClassLoader.java:387).
org.h2.tools.Server

Is there another way to accomplish this?

The reason we want to exclude h2 from the classpath is because the maven artifact for h2 has several HIGH CVEs reported on it (https://mvnrepository.com/artifact/com.h2database/h2/1.3.172). I understand that Datomic does not run the H2 console and is also does not involve SQLXML, so it is probably not vulnerable to the specific CVEs, however, it would be an easy way to remove a dev-only dependency in a production deployment.